-
Notifications
You must be signed in to change notification settings - Fork 536
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable configuring Envoy QAT private key provider #2565
Enable configuring Envoy QAT private key provider #2565
Conversation
Private key provider configuration will be provided by user in ProxyConfig configuration. This information will be used to send configuration to gateway/sidecar proxies.
😊 Welcome @rveerama1! This is either your first contribution to the Istio api repo, or it's been You can learn more about the Istio working groups, code of conduct, and contributing guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
I thought I saw somewhere QAT only supports OpenSSL. but Envoy uses boringssl. Did I understand wrong, or is this somehow enabling openssl? |
QAT can be used with both OpenSSL and BoringSSL. In BoringSSL the QAT support is done using private key methods, which are hooks for overriding BoringSSL private key operations. Envoy contrib has a a QAT private key provider extension, which uses these hooks for accelerating RSA sign/decrypt operations. |
@howardjohn ping |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, minor comment
Brief background: Enabling PrivateKeyProvider through ProxyConfig was originally introduced in #2261 for CryptoMB. This PR is an addition for that. This will provide configuration for enabling QAT private key provider.
QAT support in Envoy is merged and available from envoyproxy/envoy#21984.
Next generation Intel® QAT support with Intel® Xeon® Scalable processors will feature an Intel® QAT cryptography and compression acceleration engine.
QAT private key provider extension will use qatlib library (https://github.com/intel/qatlib) to accelerate RSA operations in handshakes. The extension will look a bit like the existing cryptomb private key provider. The use case is to move the expensive cryptographic operations away from the CPU to the accelerator device, leaving CPU cycles for other use.
Additional Description:
Support for Intel® QAT is already present in the mainline Linux kernel and in Kubernetes device plugins (to expose the device files to containers). There are previous generations of Intel QAT® hardware devices, but they are not supported by this extension.